Symptom
Hosts cannot authenticate to AAA server.
Conditions
- EAP-TLS is used by end-points creating a need to generate Radius packet >1500B which eventually lead to packet fragmentation (this occurs also when jumbo frames are configured on the switch),
- fragmented packets are load-balanced per-packet (not per-flow) and can be dropped if there is some security devices in between switch and AAA server which cannot reconcile radius packets coming on different interfaces leading to packet drop.
Workaround
a) configure: "ip cef load-sharing algorithm original" which will force all packets to go the same path
b) disable redundant links on the switch towards AAA server.
Further Problem Description
As per current design, application should not inject packet greater than 1500. It application needs to inject packets greater than 1500, use above workarounds.
